Bluebottle, a financially motivated cyber-crime group, continues targeting Francophone banks in Africa by using living-off-the-land techniques, commodity malware, and no custom malware. The campaign aligns with prior OPERA1ER activity but introduces new TTPs such as potential ISO infection vectors and GuLoader as an initial loader. #Bluebottle #OPERA1ER #GuLoader
Keypoints
- Bluebottle continues targeting banks in Francophone African countries using living-off-the-land techniques and commodity tools; no custom malware is observed in this campaign.
- The activity shows strong ties to OPERA1ER (Group-IB’s name for similar activity), including the same domain and some of the same tools.
- New TTPs observed in 2022 include potential ISO infection vectors and the use of GuLoader as an initial loader, with signs of kernel driver abuse to disable defenses.
- Initial infection likely via spear-phishing emails with job-themed lures; some samples mimic PDFs (e.g., “fiche de poste.exe”).
- Post-compromise toolset includes GuLoader, Netwire RAT, Quasar RAT, and Cobalt Strike Beacon; Mimikatz and other credential theft steps are part of the activity.
- Persistence and defense evasion involve a signed driver to terminate processes, registry modifications, firewall changes, and RDP expansion using RDPWrap and additional accounts via net localgroup.
- Three financial institutions across three African nations were compromised, with cross-victim tool reuse and overlapping infrastructure suggesting coordinated activity.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – The earliest malicious files found on victim networks had French-language, job-themed file names and were likely delivered via spear-phishing emails. Quotes: “…it’s most likely these files were delivered to victims via a spear-phishing email…”
- [T1105] Ingress Tool Transfer – Downloaders and payloads fetched from external URLs (e.g., hxxp://178.73.192[.]15/ca1.exe) to stage additional loaders. Quotes: “download a malicious .NET downloader from URLs such as hxxp://178.73.192[.]15/ca1.exe”
- [T1055] Process Injection – GuLoader’s NSIS script decrypts and injects obfuscated shellcode into another process. Quotes: “This NSIS script decrypts and injects obfuscated shellcode into another process.”
- [T1021.001] Remote Services – Lateral movement via PsExec and RDP-related techniques (RDPWrap to enable concurrent RDP sessions; opening firewall port 3389). Quotes: “For lateral movement, the attackers deployed… PsExec” and “The Autoupdatebat ‘Automatic RDP Wrapper installer and updater’ tool to enable multiple concurrent RDP sessions on a system” and “opens port 3389 on the firewall”
- [T1003.001] Credential Dumping – Use of Mimikatz and WDigest modification as part of credential theft. Quotes: “deploying Mimikatz” and “modifying the WDigest setting”
- [T1033] Account Discovery – Quser used to enumerate user sessions during discovery. Quote: “Quser for user discovery”
- [T1136.001] Create Account – Persistence via adding new local accounts (net localgroup /add). Quote: “added additional accounts using the ‘net localgroup /add’ command”
- [T1482] Domain Trust Discovery – Use of SharpHound for domain trust enumeration during lateral movement. Quote: “SharpHound for domain trust enumeration”
- [T1562.001] Impair Defenses – Kernel driver abuse to disable defenses (signed driver) and related components. Quotes: “abusing kernel drivers to disable defenses” and “signed ‘helper’ driver”
- [T1021.004] Remote Services (RDP) – RDPWrap enabling multiple concurrent RDP sessions and registry modifications to support RDP access. Quote: “RDPWrap script to enable multiple concurrent RDP sessions” and “modifies the registry and opens port 3389”
Indicators of Compromise
- [File Hash] context – 117c66c0aa3f7a5208b3872806d481fd8d682950573c2a7acaf7c7c7945fe10d, c56c915cd0bc528bdb21d6037917d2e4cde18b2ef27a4b74a0420a5f205869e6
- [Network Indicators] context – hxxp://files[.]ddrive[.]online:444/load, hxxp://85.239.34[.]152/download/XWO_UnBkJ213.bin
- [Domain] context – personnel[.]bdm-sa[.]fr
- [IPAddress] context – 185.225.73[.]165, 178.73.192[.]15
- [File Name] context – fiche de poste.exe, fiche de candidature.exe